cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1313
Views
5
Helpful
3
Replies

Controlling access to ISE PSNs for SSH Access

VinnyR
Level 1
Level 1

Hi Guys,

 

I'm trying to find out what the best way would be to control access to our ISE PSNs via SSH. At this moment SSH is enabled which permits access to the devices from almost anywhere in the LAN. 

 

Are there options to enable host based ACLs to permit access from only certain IP addresses/subnets?

 

Thank you

 

3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni
Limited options on ISE for this, it's not like a switch VTY line where you can apply an ACL. You could however disable SSH completely, "no service sshd enable". At that point you would manage this from the CIMC or VMware console, enabling SSH when you need.

Hi @VinnyR 

 

You can achieve this through the Admin Access List in the ISE GUI. I thought this only applied to GUI access, but I was pleasantly surprised to find that it also applies to the CLI access.

 

Having said that, I don't have a distributed deployment to test this on - in my case I am using all-in-one Node.

 

Below I tested this by only allowing my NOC to access ISE from a wired LAN subnet 192.168.100 /24

 

acl.PNG

 

 

Accessing the GUI from any other subnet will show this as a result:

 

oops.PNG

 

On the SSH access, you won't get a TCP connection success - the session will just hang.

 

Make sure you test this (or implement this) in a sensible manner.  I don't know how to revert this change if you should cut yourself off from the Admin GUI.  There doesn't seem to be a CLI command to revert the changes via console.  Be very careful!

 

 

Hi @VinnyR ,

 

@Arne Bier  as given you the best way , tested by me as well previous role.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: